openstack/tripleo-docs
Code Issues Proposed changes
tripleo-docs/doc/source/advanced_deployment/api_policies.rst
Emilien Macchi 72b4d53e89 Document how to configure OpenStack API policies 
Document the feature where TripleO is now able to configure API
policies.

Change-Id: Iabcf657a233027d325f3a3df4cfcfccdd4228567
Partial-implement: blueprint modify-policy-json
Depends-On: I1144f339da3836c3e8c8ae4e5567afc4d1a83e95
2017-03-30 12:16:48 +00:00

29 lines
1003 B
ReStructuredText
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Configuring API access policies
===============================
Each OpenStack service, has its own role-based access policies.
They determine which user can access which resources in which way,
and are defined in the services policy.json file.
.. Warning::
While editing policy.json is supported, modifying the policy can
have unexpected side effects and is not encouraged.
|project| supports custom API access policies through parameters in
TripleO Heat Templates.
To enable this feature, you need to use some parameters to enable
the custom policies on the services you want.
Creating an environment file and adding the following arguments to your
``openstack overcloud deploy`` command will do the trick::
$ cat ~/nova-policies.yaml
parameter_defaults:
NovaApiPolicies: { nova-context_is_admin: { key: 'compute:get_all', value: '' } }
-e nova-policies.yaml
In this example, we allow anyone to list Nova instances, which is very insecure but
can be done with this feature.
View Git Blame Copy Permalink